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Abstract.  Sensor-actuator  network  components  tend  to  be  unreli¬ 
able,  especially  when  they  are  low  cost  or  deployed  in  unpredictable 
environments.  These  components  may  even  exhibit  byzantine  be¬ 
havior  in  which  case  their  effect  on  the  underlying  systems  can  be 
severe.  In  this  paper,  we  focus  our  attention  on  applications  of  sen¬ 
sor  networks  in  control  of  linear  systems  and  show  how  to  deal  with 
byzantine  faults  of  components.  Based  on  the  well  known  Lyapunov 
formulation  of  stability,  we  identify  two  types  of  fault-tolerant  con¬ 
trol  schemes  for  linear  systems:  masking  and  self-stabilizing.  Then, 
given  a  local  control  scheme  which  assumes  that  there  are  no  byzan¬ 
tine  faults,  we  develop  a  masking  version  and  three  increasingly 
efficient  self-stabilizing  versions  that  tolerate  byzantine  faults.  We 
demonstrate  our  methodology  using  a  beam  vibration  control  ap¬ 
plication  as  a  case  study. 
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1  Introduction 

A  new  class  of  distributed  control  applications  is  emerging  in  the  field  of  sensor- 
actuator  networks.  Fueled  in  part  by  recent  advances  in  micro-electromechanics 
and  communication  technologies,  these  applications  deal  with  physical  environ¬ 
ments  where  control  demands  scalability  in  spatial,  temporal,  and/or  resource 
dimensions.  Scalability  in  turn  motivates  the  design  of  control  that  is  distributed 
— and  often  local. 

By  way  of  an  example  of  a  distributed  control  application,  consider  the  con¬ 
trol  of  acoustic  vibrations  in  structures  tessellated  with  a  sensor-actuator  net¬ 
work.  Sensors  enable  measurement  of  local  velocity  and  actuators  allow  appli¬ 
cation  of  compensating  force.  The  sensed  values  are  available  locally  as  well  as 
globally  (via  the  network),  for  use  by  controllers  in  determining  the  actuator 
control  signals.  Mode  control  in  this  case  necessitates  some  high  frequency  op¬ 
erations  (in  the  kHz  range)  that  preclude  control  schemes  based  on  a  global 
snapshot  of  sensor  values.  In  other  words,  mode  control  involves  distributed 
schemes  where  data  from  each  sensor  is  made  available  only  to  nodes  within 
some  locality  of  that  sensor,  while  still  ensuring  stability  globally. 

The  distributed  nature  of  these  new  control  applications  demands  infor¬ 
mation  processing  services  that  are  supported  by  the  network.  On  one  hand, 
these  underlying  services  offer  abstractions  that  simplify  the  design  of  the  con¬ 
trol  task.  Examples  include  controller  group  synchronization,  communication, 
(re)parameterization,  reconfiguration,  fault  detection,  etc.  On  the  other  hand, 
these  underlying  services  themselves  introduce  vulnerabilities  that  complicate 
the  design  of  the  control  task.  Unpredictable  delays,  unreliable  components, 
insecure  or  compromised  components,  and  erroneous  data  affect  the  control,  po¬ 
tentially  in  severe  and  unanticipated  ways.  Early  experiences  in  the  co-design  of 
distributed  control  applications  and  underlying  services  reveal  not  only  software 
engineering  issues  — e.g.,  control  designers  expect  service  designers  to  specify 
highest  possible  service  qualities  whereas  the  latter  expect  the  former  to  specify 
lowest  service  qualities  that  suffice  for  control  purposes —  but  more  importantly 
a  lack  in  techniques  for  verifying/designing  distributed  control  based  on  vulner¬ 
able  network-supported  services. 

Problem  statement  The  vulnerability  of  network  services  to  faults  and  in¬ 
truders  lead  us  to  considering  the  problem  of  designing  distributed  control.  As 
a  first  step  in  this  direction,  we  consider  a  simpler  version  of  the  problem: 

Assuming  that  a  bounded  number  of  network  nodes  can  exhibit  incor¬ 
rect  (and  potentially  arbitrary)  behavior,  how  can  distributed  control  be 

designed  to  be  provably  stable? 

In  other  words,  we  assume  that  at  most  a  bounded  number  of  network  nodes  are 
subject  to  byzantine  faults  [1].  And  since  we  are  considering  vulnerabilities  of 
the  underlying  services  themselves,  we  do  not  assume  that  there  is  an  underlying 
network  service  for  byzantine  fault  detection.  It  is  therefore  worth  emphasizing 
that  our  approach  is  in  contrast  to  several  recent  works  that  deal  with  faults 
in  control  systems  via  fault  detection  and  subsequent  isolation  [2-6].  Detection 
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based  approaches  also  include  those  which  use  switched  linear  systems  [7,8]. 
Switched  systems  are  hybrid  dynamical  systems  that  consist  of  multiple  subsys¬ 
tems  controlled  by  switching  laws.  The  switching  laws  are  governed  by  the  fault 
detectors.  We  eschew  the  detection  based  approach  since  if  the  detection  is  per¬ 
formed  on  a  Byzantine  node,  it  may  lead  to  incorrect  controller  reconfiguration. 
Systems  whose  parameters  are  uncertain  and  time  varying  are  often  modeled  as 
jump  linear  systems  [9],  when  transition  among  the  parameters  is  assumed  to 
follow  a  given  model  such  as  Markovian.  However,  in  this  paper  we  deal  with 
faults  introduced  by  network  nodes.  The  system  parameters  are  assumed  to  be 
constant. 

Specifically,  in  this  paper,  we  consider  distributed  control  [10-15]  in  the  con¬ 
text  of  linear  systems  and  present  a  series  of  four  methods  for  control  design 
that  deals  with  Byzantine  components. 

Organization  of  the  paper  In  Section  2,  we  recall  a  characterization  of  linear 
systems  with  control  inputs  and  a  stability  condition  for  such  systems  in  terms  of 
its  Lyapunov  function.  We  then  design  two  local  control  schemes  that  generate 
actuator  control  signals  based  on  its  local  sensor  values,  assuming  that  all  local 
controllers  are  fault-free.  We  also  illustrate  the  effect  of  faults  on  linear  systems 
running  these  schemes.  In  Section  3,  we  define  two  types  of  control  schemes 
that  deal  with  faults:  masking  and  self-stabilizing.  We  formulate  a  theory  for 
fault-tolerant  control  and  develop  four  different  methods  for  design  of  Byzan¬ 
tine  fault-tolerant  control.  First  is  a  static  method  for  designing  fault-masking 
control.  Second  is  a  dynamic  method  that  achieves  self-stabilizing  control  with 
potentially  lesser  energy  cost  than  the  first  scheme.  Third  is  an  adaptive  dynamic 
method,  which  with  access  to  extra  sensor  state  information,  achieves  faster  con¬ 
vergence  than  the  dynamic  method.  Fourth  is  a  dynamic  balancer  method,  which 
with  added  access  to  actuator  state  information,  converges  even  better  than  the 
adaptive  dynamic  method.  Each  of  these  four  methods  is  demonstrated  in  the 
context  of  a  running  example,  a  toy  version  of  the  vibration  control  application 
described  above  where  the  structure  in  question  is  a  beam  and  the  bound  on 
the  number  of  Byzantine  nodes  is  just  1.  In  section  4,  we  present  a  comparison 
among  the  four  schemes  based  on  the  energy  spent  in  control.  Lastly,  in  Section 
5,  we  present  conclusions  and  goals  for  future  research. 

2  Local  Control  Schemes  for  Linear  Systems 

In  this  section,  we  recall  the  description  of  a  continuous  time  linear  system  with 
control  inputs  and  with  no  external  continuous  force  being  applied  to  it,  and 
characterize  its  asymptotic  stability  in  terms  of  a  Lyapunov  function.  However, 
the  control  vector  for  a  continuous  time  linear  system  is  often  computed  at 
discrete  intervals  of  time.  We  then  show  that  when  the  sampling  frequency  is 
high,  the  asymptotic  stability  conditions  for  the  discrete  time  linear  system  is 
the  same  as  that  for  continuous  time  systems.  We  then  present  two  local  control 
schemes  for  linear  systems  [16, 13-15]  and  illustrate  the  effect  of  faults  on  linear 
systems  running  those  schemes. 
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2.1  Asymptotic  Stability  Condition  for  Continuous  Time  Linear 
Systems 

A  linear  system  with  control  input  is  represented  in  the  standard  state  space 
format  as 

x  =  Ax  +  Bu  (1) 

where  x  is  an  n-dimensional  state  vector  [x\ ,  X2 ,  ■  ■  ■ ,  xn]T,  u  is  an  m-dimensional 
actuator  control  vector  [iti .  it  2,  ■  ■  -  ,um],  and  A  and  B  are  n  x  n  and  nx  m  ma¬ 
trices,  respectively. 

The  system  state  vector  is  observed  by  the  sensor  vector  y  =  \yi ,  j/2 :  ;  yP] 

as 

y  =  Cx  (2) 

where  matrix  C  is  p  x  n. 

The  control  scheme  for  the  above  linear  system  is  realized  in  the  form  of  an 
equation  relating  the  control  vector  u  and  the  sensor  vector  y  as 

u  =  Gy  (3) 

where  G  is  an  m  x  p  gain  matrix. 

By  inserting  Eqs.  2  &  3  into  Eq.  1,  we  get  another  form  of  linear  control 
system,  represented  as 

x  =  Ax  +  BGCx  =  (A  +  BGC)x  (4) 

A  well-known  asymptotic  stability  condition  for  the  linear  system  denoted  in 
Eq.  4  is 

Re(Xi)  <  0, i  =  1,  ■  ■  -,n  (5) 

where  A i  is  i-th  eigenvalue  of  matrix  ( A  +  BGC)  and  function  Re(a)  is  the 
real  part  of  the  complex  variable  a.  Note  that  if  the  real  part  of  one  or  more  of 
these  eigenvalues  becomes  zero,  the  system  remains  stable  but  not  asymptotically 
stable.  However,  if  the  real  part  of  any  of  the  eigenvalues  becomes  greater  than 
zero,  the  system  becomes  unstable  [17]. 

Matrices  B  and  C  are  strongly  dependent  on  the  locations  of  the  sensors  and 
actuators.  The  gain  matrix  G  is  determined  by  several  alternative  control  design 
schemes  such  as  pole  allocation,  optimal  control  design,  Lyapunov  etc.,  in  such 
a  way  that  the  matrix  ( A  +  BGC)  makes  the  system  asymptotically  stable. 


Now,  let  us  define  function  V  as 

V  =  xtMx  (6) 

where  M  is  a  symmetric,  positive  definite  nx  n  matrix.  The  time-derivative 
of  V,  V.  is  derived  using  Eqs.  1  &  4  as 

V  =  xtMx  +  xtMx  (7) 

=  xt((A  +  BGC)T M  +  M (A  +  BGC))x  ,  from  Eg.  4  (8) 

=  -xTUx  (9) 

=  xT(AT  M  +  MA)x  +  utBtMx  +  xT  MBu  (10) 

=  xt(AtM  +  MA)x  +  2xT  MBu  (11) 


4 


Y.  M.  Kim  et  al 


where  matrix  V  is  a  positive  definite,  symmetric  matrix. 

It  is  well-known  that  the  linear  system  denoted  in  Eq.  4  is  asymptotically 
stable  iff  there  exist  positive  definite,  symmetric  matrices  M  and  U  in  Eq.  9  [18, 
19].  Notice  also  from  Eq.  9  that  irrespective  of  the  value  of  the  state  variable  x 
in  its  entire  state  space,  V  is  always  negative.  Hence,  V  is  a  Lyapunov  function. 

If  the  value  of  the  Lyapunov  derivative  becomes  strictly  positive  for  any  value 
of  x  due  to  the  occurrence  of  faults,  which  consequently  lead  to  faulty  control 
signals,  the  system  becomes  unstable.  Let  the  stability  margin  S(x)  of  the  system 
in  the  state  x  denote  the  margin  of  the  system  from  the  unstable  region. 

S(x)  =  xt(AtM  +  MA)x  +  2  xtMBu  (12) 

Thus,  S(x)  is  equal  to  V.  Note  that  under  normal  fault  free  operation,  S(x)  = 
—xtUx  and  the  stability  margin  is  always  negative. 

2.2  Asymptotic  Stability  Condition  for  Discrete  Time  Linear 
Systems 

The  control  vector  for  a  linear  system  is  often  computed  at  discrete  time  intervals. 
Suppose  that  the  period  of  each  interval  is  T.  We  now  show  that  when  the 
sampling  frequency  is  high,  the  rate  of  change  of  the  Lyapunov  function  stays 
the  same  as  in  Eq.  11. 

The  computed  control  vector  u(kT)  at  instant  kT,k  >=  0,  is  fed-back  into 
the  system  during  the  interval  [kT.  (k  +  1)T).  Note  that  this  control  vector  does 
not  change  its  value  during  that  period.  Then  the  discrete  time  system  can  be 
modeled  by  the  following  state  equations  [20]: 

x{(k  +  1  )T)  =  eATx(kT)  +  BTu(kT)  (13) 

=  (/  +  (AT)  +  1(. AT)2  + )x(kT)  +  BTu(kT)  (14) 

If  the  period  T  is  small  enough,  it  is  reasonable  to  omit  the  higher  powers  of 
AT.  Hence  the  equation  gets  the  simpler  form: 


x((k  +  1)T)  =  (I  +  ( AT))x(kT )  +  BTu(kT)  (15) 

The  Lyapunov  function  for  the  discrete  time  linear  system  is  modeled  as: 

V(kT)  =  xT  (kT)Mx(kT)  (16) 

where  M  is  a  symmetric  positive  definite  n  x  n  matrix. 

The  rate  of  change  of  the  Lyapunov  function  is  derived  as  follows: 

AV(kT)  =  (V(k  +  l)T-V(kT))/T  (17) 

~  xT (kT)((A  +  BGC)tM  +  M(A  +  BGC))x(kT)  (18) 

where  the  second  order  terms  attached  with  T2  are  ignored. 
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Thus  we  see  that  the  rate  of  change  of  the  Lyapunov  function  is  equal  to  the 
Lyapunov  derivative  obtained  by  Eq.  11. 

From  here  on  for  simplicity  of  notation,  we  denote  V(kT)  as  V,  x(kT)  as  x 
and  so  on  for  each  state  variable.  Also,  we  denote  AV(kT)  as  V. 

In  the  following  subsection,  we  recall  two  local  control  schemes  for  linear 
systems  and  employ  the  Lyapunov  function  V,  to  analyze  their  stability  margins. 

2.3  Local  Control  Schemes  Assuming  No  Faults 

A  distributed  control  system  consists  of  a  dynamic  physical  plant  and  multiple 
nodes  that  are  connected  by  a  wired  or  wireless  network.  Each  node  consists  of 
a  sensor,  an  actuator,  a  processor,  and  network  services.  It  measures  the  plant 
state  with  its  sensor,  exchanges  control  information  with  the  other  nodes  using 
its  network  services,  computes  the  control  signal  according  to  its  control  logic, 
and  applies  the  signal  to  the  plant  through  its  actuator. 

In  this  section,  we  recall  two  local  control  schemes  for  linear  systems  and 
employ  the  Lyapunov  function  V,  to  analyze  their  stability  margins.  In  the  first 
scheme,  the  control  vector  generated  is  proportional  to  the  sensor  vector.  This 
is  called  as  the  linear  local  control  scheme  [16, 13-15].  In  the  second  scheme,  the 
control  inputs  are  binary  valued.  This  is  called  as  the  on-off  local  control  scheme. 
Restating  Eq.  11, 

V  =  xt(At  M  +  MA)x  +  2  xT  MBu. 

If  matrices  A,  M,  C  and  B  satisfy  the  following  conditions,  then  the  system 
is  controlled  locally,  i.e.,  no  control  information  is  exchanged  between  nodes. 

CTC  =  AtM  +  MA  (19) 

C  =  BtM  (20) 


Based  on  these  two  conditions,  the  Lyapunov  derivative  becomes 
V  =  xT(AT  M  +  MA)x  +  2  xT  MBu 
=  xT(CTC)x  +  2  xt((BtM)t)u 
=  xT(CTC)x  +  2xt(C)tu 
=  ( Cx)TCx  +  2  {Cx)Tu 

=  yTy  +  2  yTu  (21) 

Let  the  system  have  m  nodes. 

m 

V  =  ^(fe)2  +  2  yiui)  (22) 

i= 1 

Recall  that  the  Lyapunov  derivative  is  interpreted  as  the  stability  margin  for 
the  system.  If  we  were  to  specify  a  constant  stability  margin  s  for  the  system, 
where  s  is  a  negative  number,  then  the  control  force  ut  would  have  to  be  very 
large  when  the  sensor  vector  y,  was  very  small.  Hence,  we  specify  our  requirement 
for  the  stability  margin  S(x)  as  a  value  proportional  to  the  sensor  vector: 

S{x)  =  s-  f(yi) 


(23) 
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where  s  is  the  stability  margin  constant  for  the  system  and  f{yi)  is  a  function 
of  the  sensor  vector.  Consider  the  following  linear  local  control  scheme. 

Linear  Local  Control  Scheme 

Input:  local  sensor  data  yi  ;  s 
Output:  local  control  signal  Ui 
Procedure: 
while  true  do 
Ui  =  yO  -  1  )Vi 
od 

The  above  scheme  generates  u  such  that 

m 

V  =  ^2{{yi)2  +  Zyiui) 

i= 1 

m 

=  s  ■  Y  (yi)2  (24) 

4=1 

Thus,  the  stability  margin  for  this  system  is  s  ■  J^rLiiVi)2-  Since  u  is  derived 
from  the  local  sensor  data  without  computing  the  state  vector,  this  scheme  is 
also  called  direct  feedback  control  [21,22]. 

An  alternative  local  control  scheme  is  an  on-off  scheme  [23] ,  where  the  control 
inputs  are  binary  valued.  Thus,  for  all  i,  Ui  is  either  +N  or  -N,  where  IV  is  a 
positive  value  such  that  yi  <  2N  —  |s|. 

On-Off  Local  Control  Scheme 

Input:  local  sensor  data  yi  ,  stability  margin  (with  negative  value)  s 
Output:  local  control  signal  u. 

Procedure: 

N  =  (max(\yi\)  +  |s|)/2 
while  true  do 

Ui  =  —N  x  sign(yi) 

od 

For  this  on-off  control  scheme,  we  have  from  Eq.  21: 

m 

V  =  sxY\Vi\  (25) 

i= 1 

Thus  the  stability  margin  for  this  system  is  s  x  YliL  1  \Vi\- 
The  application  of  each  of  these  schemes  is  demonstrated  in  the  context  of 
a  simplified  version  of  the  beam  vibration  control  system  outlined  in  Section  1, 
which  we  describe  next. 

2.4  Beam  Vibration  Control  System  :  A  Running  Case  Study 

Given  is  a  uniform  beam  of  unit  length,  unit  mass,  and  unit  stiffness  factor,  that 
is  restricted  by  pins  at  both  ends  and  subjected  to  an  initial  disturbance.  The 
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beam  has  no  dampening  factor  so  that  it  may  vibrate  endlessly.  Control  force  is 
applied  to  reduce  the  vibration.  (Such  a  system  is  called  an  energy  conserving 
control  system.) 

We  assume  that  only  two  fundamental  vibration  modes  are  significant  in  the 
vibration  and  the  remaining  ones  are  hence  ignored  in  our  analysis. 

The  two  fundamental  vibration  modes,  denoted  as  M\  and  M2,  are  derived 
[17]  as  follows: 

Mi  :  1.4142  sin  nz,  Ai  =  uf  =  97.4091  (26) 

M2  :  1.4142  sin  2nz,  A 2  =  =  1558.5455  (27) 

where  2  €  [0.0, 1.0]  denotes  the  position  in  the  beam  spatial  axis  and  A, 
and  Ui,  i  =  1,2,  represent  the  eigenvalues  and  the  frequencies  of  i-th  modes, 
respectively. 

Since  each  mode  is  governed  by  a  second-degree  differential  equation,  the 
state  vector  for  the  system  contains  four  variables  x  =  [x\,  X2,  £3,  x,i]T .  x\{x2) 
and  £3(2:4)  denote  the  vertical  displacement  and  velocity  of  first  (second)  vibra¬ 
tion  mode,  respectively.  Then,  the  system  matrix  A  in  Eq.  1  is  denoted  as 


0  0  10 

0  0  0  1 

-97.4091  0  0  0 

0  -1558.5455  0  0 


Since  the  beam  is  an  energy  conserving  dynamic  system,  the  energy  function 
can  be  employed  as  the  Lyapunov  function.  The  energy  or  Lyapunov  function 
E  and  its  derivative  E  are  derived  as  follows: 

E  =  ^xtMx  (28) 

T  97.4091  0  0  0  ' 

0  1558.5455  0  0 

0  0  1.0  0 

0  0  0  1.0_ 

(29) 


where  M  = 

E  =  xT  MBu  =  yTu 


Note  that  the  equation  above  differs  from  the  Lyapunov  derivative  Eq.  21, 
in  that  the  term  yTy  is  now  missing.  This  is  due  to  energy  conservation,  which 
makes  AT M  +  M A  a  null  matrix.  Note  also  that  the  term  yTu  has  multiplica¬ 
tive  constant  1  instead  of  2  since  the  definition  of  the  energy  function  has  a 
multiplicative  constant  \  instead  of  1. 

As  mentioned  previously,  the  sensor  matrix  C  and  the  actuator  matrix  D 
are  dependent  on  the  location  of  the  nodes.  In  what  follows,  let  us  consider  a 
distributed  control  system  for  the  beam  that  consists  of  three  nodes,  located 
at  the  following  positions:  2  =  0.221,0.236,0.5.  In  this  particular  configuration, 
from  Eqs.  26  &  27,  the  matrices  B  and  C  are 


8 


Y.  M.  Kim  et  al 


0  0  0 

0  0  0 

0.9049  0.9551  1.4142 
1.3908  1.4087  0 


In  the  above  matrices,  each  element  is  computed  from  the  mode  equations, 
Eq.  26-27.  As  an  example,  the  influence  constant  for  the  node  at  z  =  0.221  in 
mode  M\  is  computed  using  Eq.  26,  i.e.,  0.9049  =  1.4142  siniT  *  0.221,  and  the 
influence  constant  for  the  node  at  z  =  0.221  in  mode  M2  is  computed  using 
Eq.  27  as  1.3908  =  1.4142  sin  2  *  77  *  0.221  and  so  on. 


C  =  BtM  =  Bt 


0  0  0.9049  1.3908 
0  0  0.9551  1.4087 
0  0  1.4142  0 


The  linear  and  on-off  local  control  schemes  for  linear  systems  described  in  the 
previous  subsection  can  be  adapted  for  this  energy  conserving  system  as  follows: 


Linear  control  :  u,  =  gt  ■  yi  (30) 

On-off  control  :  u,  =  /,  ■  sign(yi )  (31) 

where  gt  is  a  negative  number,  the  local  gain  factor  and  is  a  negative  number, 
the  local  on-off  level.  Note  that  greater  the  gain  gi,  greater  the  stability  margin 
for  linear  control.  For  the  on-off  control  scheme,  the  level  Zj  has  to  be  greater 
than  the  maximum  of  yt .  (See  section  2.2)  Again  greater  this  level,  greater  the 
stability  margin.  The  effect  of  different  values  of  gain  and  on-off  level,  on  the 
linear  system  are  illustrated  in  the  simulation  below. 

Simulation  Simulations  of  all  the  control  schemes  discussed  in  this  paper  have 
been  done  in  Matlab  using  Simulink.  The  graphs  in  Figs.  1  and  2  show  the 
energy  in  the  beam  decreasing  with  time  and  eventually  reaching  zero,  for  the 
linear  control  scheme  and  the  on-off  control  scheme.  The  three  sensor-actuator 
nodes  are  placed  si  z  =  0.221, 0.236, 0.5.  It  is  observed  that  the  time  to  stabilize 
the  beam  is  inversely  proportional  to  the  gain  and  the  on-off  level.  Note  that  in 
each  of  our  simulations,  when  the  energy  in  the  beam  falls  to  a  reasonably  low 
threshold,  e.g.  0.5%  of  the  original  value,  the  system  is  said  to  have  stabilized. 

2.5  Effect  of  Faults  on  the  Beam  Vibration  System 

In  this  section,  we  illustrate  the  effect  of  a  faulty  node  on  the  quality  of  control 
that  is  achieved.  In  one  experiment,  the  node  at  location  2  =  0.5  was  made  to 
generate  random  values.  In  another  experiment,  that  node  was  made  to  generate 
the  maximum  force  in  the  opposite  direction  to  what  was  required.  The  graph 
in  Fig.  3  shows  the  energy  in  the  beam  with  respect  to  time,  in  both  these 
experiments.  The  faults  are  observed  to  be  intolerable. 

The  rest  of  the  paper  outlines  a  fault  model  for  such  a  linear  control  sys¬ 
tem  and  describes  control  schemes  that  are  (masking  or  self-stabilizing)  fault- 
tolerant. 
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Fig.  1.  Comparison  of  On-Off  Control  for  Different  On-Off  Levels  (energy  vs  time) 


3  Fault- Tolerant  Control  Schemes 

In  this  section,  we  develop  a  little  theory  of  fault-tolerant  linear  systems,  present 
a  fault  model  for  a  linear  control  system  and  devise  four  fault-tolerant  control 
schemes. 

3.1  Fault-Tolerant  Linear  Systems 

Given  a  faulty  control  vector  u* ,  let  the  fault  index  set  of  u*  be  the  set  of  indices 
of  faulty  control  signals,  I(u^,u)  =  {i  :  1  <  i  <  n,  u{  yf  Ui}.  Let  the  control 
failure  levels  F(i,u^ ,u,x),  for  i  £  I(u^ ,u),  and  F(u^,u,x)  measure  the  impact 
of  the  faulty  control  signal  u{  and  the  faulty  control  vector  U? ,  respectively,  on 
the  Lyapunov  derivative  in  Eq.  9. 

F(i,uf  ,u,x)  =  2(xT  M  B)i(u{  —  Ui )  (32) 

F{u*  ,u,x)  —  ^  F(i,uf  ,u,x)  (33) 

i£l(uf  ,u) 

Now,  faulty  control  signals  may  or  may  not  affect  system  stability.  If  the  con¬ 
trol  failure  level  is  positive  (negative),  system  stability  deteriorates  (enhances) 
the  stability.  Under  the  influence  of  the  faulty  control  vector  u f ,  the  stability 
margin  S(u J ,  x)  is 

S(v,f  ,x)  =  xT(AT M  +  MA)x  +  2 xT MBu?  =  F(u^ ,  u,  x)  —  xTUx.  (34) 
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Fig.  2.  Effect  of  Gain  on  Linear  Control  (energy  vs  time) 


If  S(uf ,  x)  is  always  negative,  the  linear  system  is  asymptotically  stable  even 
in  the  presence  of  faults,  and  is  fault-tolerant.  If  it  is  not  always  negative,  fault- 
tolerance  requires  that  the  values  of  some  normal  control  signals  be  modified  so 
as  to  shift  the  stability  margin  into  the  negative  region.  Suppose  that  a  fault- 
tolerant  control  vector  u t  is  generated  by  one  such  modification  scheme.  Let  the 
fault-tolerant  index  set  for  control  vectors  id,  u f  and  u  be  the  set  of  indices  of 
fault-compensating  control  signals,  J(id,u^ ,u)  =  {i  :  1  <  i  <  n,  u\  ^  u?}.  Let 
the  control  stabilization  levels  P(i,  id,  id,  x),  for  i  €  J{ul,u^  ,u),  and  P(id,id,x) 
measure  the  impact  of  fault-compensation  signal  u\  and  fault-compensation  con¬ 
trol  vector  id  respectively  on  the  Lyapunov  derivative  in  Eq.  9. 


P(i,u*,uf,x)  =  2{xT MB)i{u\  -  u{)  (35) 

P(id,id,a;)  =  ^  P(i,  it4,  id,  x)  (36) 

,  uf) 


The  new  fault-tolerant  stability  margin  for  the  fault-tolerant  control  input  id 
is 

S(  id,  id,  x)  =  xt(At  M  +  MA)x  +  2  xT  MBvf  (37) 

=  P(id,  id,  x)  +  F(id,  u,  x)  —  xTt/x  (38) 

We  may  now  identify  two  types  of  fault-tolerant  control. 
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Fig.  3.  Effect  of  Faults  on  Stability  of  Beam  Vibration  Control  (energy  vs  time) 


Definition.  (Masking)  If  a  linear  system  L  always  satisfies  the  condition  S(ufix)  < 
0  over  the  entire  domain  of  u f  and  x,  except  at  the  equilibrium  point  x  =  0, 
then  L  is  masking  fault-tolerant. 

Definition.  (Self-Stabilizing)  If  linear  system  L  and  its  control  vector  iq  eventu¬ 
ally  always  satisfy  the  condition  S^,  ufix)  <  0  over  the  entire  domain  of  u  f  and 
x,  except  at  the  equilibrium  point  x  =  0,  then  L  is  self-stabilizing  fault-tolerant. 

In  other  words,  a  linear  system  is  fault-tolerant  if  it  is  either  masking  (i.e. 
always  its  stability  margin  is  negative)  or  self-stabilizing  (iff  eventually  always 
its  stability  margin  is  negative). 

3.2  Fault  Model 

The  system  contains  at  most  k  Byzantine  nodes,  for  a  given  bound  k.  A  byzan- 
tine  node  may  behave  in  an  arbitrary  manner,  in  its  sensing,  its  processing,  its 
actuation,  and  its  communications.  In  particular,  it  may  apply  an  arbitrary  con¬ 
trol  force  (chosen  from  the  bounded  domain  of  the  actuator)  and  can  make  the 
system  unstable. 

The  amount  of  information  that  is  available  in  the  system  affects  the  ability 
of  a  control  scheme  to  tolerate  byzantine  faults.  On  one  hand,  if  the  control 
failure  level  in  the  presence  of  byzantine  faults  can  be  measured,  fault-tolerance 
is  readily  achieved.  On  the  other  hand,  such  failure  information  is  often  not 
available.  In  the  following  subsections,  we  propose  four  fault-tolerant  control 
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schemes  that  vary  in  the  amount  of  failure  information  that  is  available  to  them. 
The  application  of  each  of  these  schemes  is  demonstrated  in  the  context  of  a 
simplified  version  of  the  beam  vibration  control  system  described  in  Section  2. 

3.3  Static  Fault-Tolerant  Scheme 

One  approach  to  designing  a  fault-tolerant  control  scheme  is  to  pessimistically 
assume  that  all  byzantine  nodes  generate  the  worst  possible  actuator  control  sig¬ 
nal  (so  as  to  drive  the  Lyapunov  derivative  farthest  into  the  positive  domain), 
and  to  then  choose  a  configuration  of  nodes  such  that  the  system  remains  asymp¬ 
totically  stable  over  the  entire  domain  of  the  state  space  x.  We  call  this  approach 
the  static  fault-tolerant  scheme. 

The  static  scheme  performs  a  node  configuration  search  starting  with  k  +  1 
nodes,  where  k  is  the  bound  on  the  number  of  byzantine  nodes.  Given  the  number 
of  nodes,  their  locations,  and  assuming  the  worst  possible  signals  from  the  byzan¬ 
tine  nodes,  it  expresses  the  Lyapunov  derivative  as  a  nonlinear  equation.  It  then 
partitions  the  state  space  into  a  set  of  subdomains  so  that,  in  each  subdomain, 
the  equation  becomes  linear.  If  in  all  the  subdomains  the  Lyapunov  derivative 
remains  negative,  that  configuration  constitutes  a  masking  fault-tolerant  control 
system.  If  no  such  configuration  exist,  the  number  of  nodes  are  increased  and 
the  search  is  continued. 

The  static  fault-tolerant  scheme  is  described  below,  with  control  assumed  to 
be  on-off.  Formally,  the  static  fault-tolerant  scheme  is: 

Static  Fault- Tolerant  Control  Scheme 

Input:  On-off  local  control  scheme  (H),  k 

Output:  node  configuration  (the  number  of  nodes  and  their  locations) 
Procedure: 

set  numberof  nodes  =  k  —  1 
while  true  do 

increment  numberof  nodes  by  one 
for  each  possible  locations  for  the  current  set  of  nodes 
compute  sensor  and  actuator  matrices  C  and  B 
partition  the  total  state  space  domain  into  a  set  of  linear  subdomains 
{P1,P2,---,Pi} 

for  each  subdomain  Pt.  1  <1  <  l 

for  each  subset  of  k  nodes  in  the  current  configuration 
assume  the  nodes  in  the  subset  are  byzantine 
compute  the  maximum  faulty  control  margin  S(uf,x ) 
if  there  exists  a  location  x  €  P,  (other  than  x  =  0)  s.t.  S(uf,x)  >=  0 
then  continue 

else  return  the  current  configuration  data 

od 

Application  of  the  Scheme  in  Beam  Vibration  Control  To  simplify 
finding  a  masking  fault-tolerant  scheme,  we  restrict  the  n-node  configuration  in 
the  beam  to  satisfy  the  following  pattern: 
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Zi  =  0.25  +  0.014(i  —  n  —  0.5),  1  <  i  <  n,n  >  2  (39) 

In  other  words,  the  n  nodes  are  distributed  around  the  central  location  0.25 
with  uniform  distance  0.014.  The  following  theorem  shows  that  this  configuration 
makes  the  beam  vibration  distributed  control  system  masking  fault-tolerant  to 
one  byzantine  node. 

Theorem  1.  The  five  node  on-off  local  control  scheme  for  beam  vibration  that 
satisfies  Eq.39  is  masking  fault-tolerant  to  one  byzantine  fault. 

Proof.  Let  L  be  the  level  for  on-off  control  at  each  node.  Note  that,  with  n  =  5,  Z{ 
is  equal  to  0.222, 0.236, 0.25, 0.264, 0.278.  Then,  from  Eqs.  26  &  27,  the  influence 
matrix  B  and  the  sensitivity  matrix  C  are 


B  = 


0  0  0  0  0 

0  0  0  0  0 

0.9049  0.9551  1.0  1.043  1.0868 

1.3908  1.4087  1.4142  1.4087  1.3908 


C  =  Bt 


0  0  0.9049  1.3908 
0  0  0.9551  1.4087 
0  0  1.0  1.4142 
0  0  1.043  1.4087 
0  0  1.0868  1.3908 


The  Lyapunov  derivative  for  the  five  node  beam  vibration  system  is: 

E  =  yTu  =  ( Cx)t(-L  *  signfyf) 

=  —L  x  |0.9049x3  +  1.3908x4|  -Lx  |0.9551x3  +  1.4087x4| 

-L  x  |1.0x3  +  1.4142x4|  -Lx  |1.043x3  +  1.4087x4| 

-Lx  1 1.0868x3  +  1.3908x4 1 

When  there  are  no  faulty  nodes,  control  is  applied  in  the  direction  opposite 
to  the  sensed  force.  Hence  the  energy  derivative  is  always  negative.  But  now 
consider  the  case  when  one  of  the  nodes  is  byzantine.  It  always  applies  a  force 
of  level  L  in  the  wrong  direction. 

Since  the  above  equation  is  nonlinear,  first  it  is  partitioned  into  a  set  of  linear 
equations.  The  five  linear  equations,  obtained  by  equating  the  five  absolute  terms 
in  the  Lyapunov  derivative  to  zero,  partition  the  system  state  space  into  ten 
subdomains. 

For  example,  suppose  that  subdomain  R\  represents  the  region  in  which  all 
inside  equations  in  the  absolute  terms  are  positive.  Then,  the  Lyapunov  deriva¬ 
tive  in  R\  becomes  s(4.9898x3  +  7.0276x4).  Suppose  that  the  node  aX  z  =  0.264 
is  the  byzantine  node,  the  fourth  term  in  the  Lyapunov  derivative  is  set  with 
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the  opposite  sign  and  the  corresponding  Lyapunov  derivative  in  subdomain  R\ 
becomes  s(2. 9038x3  +4.2102x4).  This  is  less  than  zero,  except  at  the  equilibrium 
point  when  it  is  zero.  Using  the  same  approach,  the  Lyapunov  derivative  can  be 
shown  to  be  less  than  zero  in  all  subdomains,  irrespective  of  whichever  node  goes 
faulty.  □ 

Corollary  1.  Every  five  node  on-off  local  control  scheme  for  beam  vibration  that 
satisfies  Eq.fO  is  masking  fault-tolerant  to  one  byzantine  fault. 

Zi  =  0.25  +  d{i-k-0.5),  1  <  i  <  k,  k  <  2,  d  £  [0, 0.67]  (40) 

Proof.  The  proof  is  similar  to  that  for  Theorem  1  and  is  skipped  here.  □ 

Simulation  In  Fig.  4,  we  show  the  energy  in  the  beam  plotted  against  time  (in 
seconds)  for  the  static  scheme.  Each  node  generates  either  +5  or  —5  units  of 
force,  in  the  opposite  direction  of  the  sensed  force.  Three  cases  are  considered: 
no  faults  in  the  system,  one  node  generating  the  force  in  a  random  direction  and 
one  byzantine  node  which  generates  the  force  always  in  the  wrong  direction.  On 
comparing  with  Fig.  3,  we  observe  that  with  the  static  scheme,  the  energy  in 
the  beam  decreases  in  each  of  the  fault  scenarios. 


°;s;sasi:s53:x*«im6i8s?issi;5;;s 


(seconds) 


Fig.  4.  Static  Fault-Tolerant  Scheme  (energy  vs  time) 


In  the  static  scheme,  irrespective  of  the  magnitude  of  the  fault  or  the  magni¬ 
tude  of  the  sensed  force,  each  node  generates  a  constant  force,  resulting  in  huge 
energy  spent  in  control.  However,  it  is  possible  that  the  faults  may  not  be  very 
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severe  and  they  can  be  tolerated  by  applying  less  than  the  maximum  force  all 
the  time  and/or  with  fewer  nodes.  The  following  linear  schemes  are  based  on 
this  idea.  A  comparison  of  the  energy  spent  in  control  in  all  the  schemes,  with 
and  without  faults,  is  made  in  Section  5. 

3.4  Dynamic  Fault-Tolerant  Scheme 

In  this  scheme,  we  relax  the  pessimistic  assumption  that  byzantine  nodes  gener¬ 
ate  the  worst  possible  control  signals.  The  scheme  increases  the  control  force  at 
each  node  linearly  from  a  certain  minimum  value.  Thus  if  the  byzantine  faults  are 
not  very  severe,  they  can  be  tolerated  with  lesser  energy.  The  dynamic  scheme 
thus  yields  more  energy  efficient  control  than  the  static  scheme. 

Dynamic  Fault-Tolerant  Control  Scheme  (at  fc-th  node) 

Input:  positive  gain  adjustment  rate  A,  time  unit  length  tb, 

node  configuration  (output  by  static  fault-tolerant  scheme) 

Output:  local  gain  factor  g k 
Procedure: 

(Initially) 

set  gk  =  syk  (From  Eq.  30) 
set  i  =  1  and  S_ 2  =  S_  1  =  0 
while  true  do 

at  the  beginning  of  time  interval  Ii 
let  Si  =  Ei  1  -  Ei_ 2 
if  Si  <  0  then  5*  =  0 
update  gk  =  gk  -  A  ■  Si 
increment  i  by  one 
do 

Description  Time  is  partitioned  into  uniform  intervals  of  length  tb .  One  choice 
for  tb  is  the  period  of  the  fundamental  frequency  mode.  Let  Ei  be  the  system 
excitation  level  of  the  i-th  interval,  Ii  =  [(i  —  1  )tb,itb).  This  is  equal  to  the 
maximum  sensor  value  yk,  sensed  during  the  ith  interval  at  node  k.  Let  the 
system  stability  level  (Si)  at  the  beginning  of  i-th  interval(ii)  be  the  difference 
Ei_i  —  Ei_2-  If  the  stability  level  Si  is  negative,  then  the  system  is  stable  at 
the  beginning  of  otherwise  it  is  unstable.  Depending  on  the  value  of  Si,  the 
control  gain  is  updated  to  improve  the  stability  level  during  time  interval  . 
From  the  static  scheme,  we  have  the  safety  guarantee  that  when  the  control 
forces  are  maximum,  the  system  will  be  asymptotically  stable. 

Application  of  the  Scheme  in  Beam  Vibration  Control  In  the  beam 
vibration  example,  the  2  modes  have  frequencies  9.87  Hz  and  39.48  Hz.  Hence, 
without  control  input,  the  local  velocity  profile  repeats  itself  every  1/9.87  = 
101  milliseconds.  If  a  control  input  is  applied  on  the  beam,  the  local  velocity 
should  decrease  at  least  every  101ms.  Hence,  tb  is  input  as  101ms.  The  location 
of  the  nodes  and  the  matrices  B  and  C  remain  the  same  as  in  the  static  fault- 
tolerant  scheme. 
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Theorem  2.  The  five  node  distributed  control  system  for  beam  vibration  result¬ 
ing  from  the  dynamic  fault-tolerant  scheme  is  self-stabilizing  fault-tolerant. 

Proof.  We  know  that  the  5  nodes  on-off  distributed  control  system  tolerates  one 
byzantine  fault.  Hence,  in  the  dynamic  system,  when  the  gain  factor  becomes 
sufficiently  high  so  as  to  get  the  control  forces  to  the  maximum,  the  system  is 
guaranteed  to  stabilize.  □ 

Optimization  Instead  of  activating  all  5  nodes,  we  can  start  off  by  activating 
just  2  nodes.  If  the  local  velocities  do  not  drop  after  say  10  4,  an  additional 
node  can  be  activated  until  at  most  all  five  are  activate.  Note,  however,  that  this 
optimization  requires  a  centralized  controller. 

Simulation  In  Fig.  5,  we  show  the  energy  in  the  beam  plotted  against  time  (in 
seconds)  for  the  dynamic  scheme.  In  order  for  this  analysis  to  be  comparable 
with  the  analysis  of  the  static  scheme,  the  on-off  level  in  the  static  scheme  was 
set  to  5  and  the  actuator  forces  in  the  dynamic  scheme  were  bounded  by  5. 
Thus,  the  local  gain  factors  in  the  dynamic  scheme  can  increase  and  bring  each 
actuator  force  to  at  most  equal  the  on-off  level  of  the  static  scheme.  We  compare 
the  performance  with  that  of  the  static  scheme  in  the  following  three  cases: 

—  no  faulty  nodes  in  the  system  :  desired  control  is  achieved  with  2  nodes  in 
the  system, 

—  one  node  that  generates  random  forces  :  desired  control  is  achieved  with  3 
nodes  in  the  system,  and 

—  one  byzantine  node  which  generates  maximum  force  in  the  wrong  direction 
:  desired  control  is  achieved  with  4  nodes  in  the  system. 

3.5  Dynamic  Adaptive  Fault-Tolerant  Scheme 

In  the  previous  scheme,  we  used  the  local  excitation  levels  as  a  measure  of 
system  stability.  This  is  however  an  approximate  measure  and  the  time  interval 
h  required  to  make  the  gain  adjustment  is  relatively  large  and  can  result  in 
significant  convergence  time. 

To  calculate  the  stability  measure  exactly,  some  global  knowledge  of  the  sys¬ 
tem  state  is  required.  For  example,  the  Lyapunov  function  can  be  computed 
if  the  correct  system  state  vector  is  available.  The  expected  Lyapunov  deriva¬ 
tive  can  then  be  calculated  using  the  state  vector  and  Eqs.  2  and  3.  However, 
without  measuring  the  actuator  force,  the  real  Lyapunov  derivative  cannot  be 
computed.  So  we  use  the  following  approximation.  Suppose  that  the  Lyapunov 
functions  Vj  i  and  V)  denote  the  value  at  the  beginning  of  intervals  /7;_i  and 

Ii,  respectively.  Then,  the  actual  Lyapunov  derivative  Vi  can  be  approximated 
as  V'  ^i~1  ■  Suppose  that  the  expected  Lyapunov  derivative  at  the  beginning 

of  interval  is  V.  Then,  the  difference  between  the  actual  and  the  expected 
Lyapunov  derivative  can  be  exactly  compensated  by  incrementing  the  gain.  The 
following  scheme  implements  this  idea  (the  method  for  computing  the  correct 
state  vector  from  the  sensing  data  is  application  specific) . 
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No  Faults 

- 1  Byzantine  node 

1  Random  node 


Fig.  5.  Dynamic  Fault-Tolerant  Scheme  (energy  vs  time  graph) 


Dynamic  Adaptive  Fault- Tolerant  Control  Scheme 

Input:  time  interval  length  tb, 

node  configuration  (output  by  static  fault-tolerant  scheme) 

Output:  gain  factor  g k 
Procedure: 

(Initially) 

set  gk  =  syk  (From  Eq.  30) 
set  i  =  1  and  Vo  =  Vl 
while  true  do 

at  the  beginning  of  time  interval  Ii 
if  vt  <  Vi  then  V-  =  Vt 

additional  gain  Agk  to  provide  margin,  (Vi  —  Vi) 
increment  i  by  one 

od 

If  the  Lyapunov  function  after  time  tb  is  larger  than  expected,  the  local 
gain  factor  is  increased.  When  the  gain  factor  becomes  sufficiently  large,  the 
control  force  generated  will  converge  to  that  in  the  on-off  scheme.  Thus,  from 
the  asymptotic  stability  of  the  static  distributed  control  system,  it  is  guaranteed 
that  even  if  the  worst  actuator  input  is  injected  by  the  byzantine  node,  the 
system  will  eventually  become  asymptotically  stable.  The  time  bound  tb  can 
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be  made  much  lesser  than  in  the  dynamic  fault-tolerant  control  scheme.  Thus, 
the  dynamic  adaptive  fault-tolerant  scheme  achieves  faster  convergence  than  the 
dynamic  fault-tolerant  scheme. 

Application  of  the  Scheme  in  Beam  Vibration  Control  To  compute 
the  Lyapunov  function,  we  need  the  state  velocity  vectors  £3  and  £4  for  the 
beam.  These  state  velocity  vectors  can  be  computed  using  any  2  correct  local 
sensor  vectors  y k.  However,  any  of  the  nodes  could  be  byzantine  and  hence  their 
sensor  values  corrupt.  The  following  theorem  helps  us  determine  the  correct  state 
velocity  vectors  for  the  beam. 

Theorem  3.  Four  sensors  located  anywhere  along  the  beam  suffice  to  correctly 
determine  the  state  velocity  vectors  for  the  beam,  given  at  most  one  byzantine 
node. 

Proof.  Since  the  state  vector  comprises  two  velocity  variables  (x3  and  x4),  two 
correct  sensor  values  are  sufficient  to  determine  the  state  velocity  vectors.  As  an 
example,  with  the  help  of  two  nodes  located  at  z=0.221  and  z=0.279,  the  two 
modal  velocities  can  be  derived  from  the  sensor  data  y\  and  y 2  as  follows 


X3 

0.9049  1.3908' 

-1 

y\ 

X\ 

1.0868  1.3908 

V2 

With  four  sensors,  we  have  six  pairs  of  sensor  values  that  can  give  us  the 
state  velocity  vectors.  Given  only  one  byzantine  node,  three  of  those  six  pairings 
will  not  contain  the  byzantine  value.  □ 

Dynamic  Adaptive  Control  Scheme  for  Beam  Vibration  (at  fc-th  node) 

Input:  time  interval  length  tb, 

node  configuration  (output  by  static  fault-tolerant  scheme) 

Output:  gain  factor  g k 
Procedure: 

(Initially) 

set  gk  =  syk  (From  Eq.  30) 
set  i  =  1  and  Vo  =  Vl 
while  true  do 

at  the  beginning  of  time  interval  Ii 
let  Vi  =  Vi~1;bVi~2 
if  Vi  <  Vi  then  Vi  =  Vi 
additional  gain  Agk  — 

Li= 1  Vi 

update  gain  gk  =  (gk  +  Agk) 
increment  i  by  one 

od 

Theorem  4.  The  five  node  distributed  control  system  for  beam  vibration  re¬ 
sulting  from  the  dynamic  adaptive  fault-tolerant  scheme  is  self-stabilizing  fault- 
tolerant. 
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Proof.  We  know  from  the  5  nodes  on-off  distributed  control  system  tolerates  one 
byzantine  fault.  Hence,  in  the  dynamic  adaptive  system,  when  the  gain  factor 
becomes  sufficiently  high  so  as  to  get  the  control  forces  to  the  maximum,  the 
system  is  guaranteed  to  stabilize.  □ 


Optimization.  Instead  of  activating  all  5  nodes,  we  can  again  start  off  by  acti¬ 
vating  just  2  nodes.  If  the  local  velocities  do  not  drop  after  say  10  time  intervals, 
an  additional  node  could  be  activated  until  all  five  nodes  are  active. 


Simulation.  In  Fig.  6,  we  show  the  energy  in  the  beam  plotted  against  time  (in 
seconds)  for  the  dynamic  scheme.  We  compare  the  performance  with  that  of  the 
earlier  schemes  in  the  following  three  cases: 

—  no  faulty  nodes  in  the  system  :  desired  control  is  achieved  with  2  nodes  in 
the  system, 

—  one  node  that  generates  random  forces  :  desired  control  is  achieved  with  3 
nodes  in  the  system,  and 

—  one  byzantine  node  which  generates  maximum  force  in  the  wrong  direction 
:  desired  control  is  achieved  with  4  nodes  in  the  system. 


. NoFldli 

—  1  Byzartine  note 
t  Random  note 


Fig.  6.  Adaptive  Dynamic  Fault-Tolerant  Scheme  (energy  vs  time) 
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3.6  Dynamic  Balancer  Scheme 

In  the  previous  scheme,  the  actual  Lyapunov  derivative  at  time  t  was  approxi¬ 
mated  by  using  the  difference  between  two  previous  Lyapunov  functions.  If  the 
applied  actuator  forces  can  also  be  measured  at  each  location,  the  exact  Lya¬ 
punov  derivative  can  be  computed.  The  fault  can  then  be  precisely  balanced  out 
by  the  normal  nodes.  This  is  the  idea  underlying  the  fault-balancer  scheme. 

Dynamic  Balancer  Control  Scheme 

Input:  time  interval  length  ij, 

node  configuration  (output  by  static  fault-tolerant  scheme) 

Output:  local  gain  factor  gk 
Procedure: 

(Initially) 

local  gain  factor,  gk,  is  set  as  |(s  —  1) 

so  that  uk  =  gk  •  Vk  =  |(s  —  1  )yk  (see  Section  3) 
set  i  =  1 
while  true  do 

at  the  beginning  of  time  interval  Ii 

compute  the  actual  Lyapunov  derivative  Vi 
compute  the  expected  Lyapunov  derivative  V, 
if  Vi  <  Vi  then  Vi  =  Vi 

compute  the  additional  gain  Agk  to  provide  margin,  (Vi  —  Vi) 
update  gk  =  (gk  +  Agk) 
increment  i  by  one 

od 

Application  of  the  Scheme  in  Beam  Vibration  Control  Knowing  the 
correct  sensor  values  and  actuator  forces  at  each  location,  we  can  compute  the 
Lyapunov  derivative  for  the  beam  by  using  Eq.  29.  The  general  fault-balancer 
scheme  described  above  is  then  adapted  for  the  beam  vibration  control  system 
as  done  in  the  adaptive  fault-tolerant  scheme. 

Theorem  5.  The  five  node  distributed  control  system  for  beam  vibration  re¬ 
sulting  from  the  dynamic  balancer  fault-tolerant  scheme  is  self-stabilizing  fault- 
tolerant. 

Proof.  We  know  from  the  5  nodes  on-off  distributed  control  system  tolerates  one 
byzantine  fault.  Hence,  in  the  dynamic  balancer  system,  when  the  gain  factor 
becomes  sufficiently  high  so  as  to  get  the  control  forces  to  the  maximum,  the 
system  is  guaranteed  to  stabilize.  □ 

In  Fig.  7,  we  show  the  energy  in  the  beam  plotted  against  time  (in  seconds) 
for  the  adaptive  dynamic  scheme.  As  with  the  previous  schemes,  three  cases 
are  considered.  The  dynamic  balancer  scheme  precisely  balances  the  erroneous 
control  value  and  recovers  from  the  fault.  The  scheme  relies  on  immediate  feed¬ 
back  of  the  applied  control  forces  and  results  in  fastest  convergence  among  the 
3  schemes:  dynamic,  dynamic  adaptive  and  dynamic  balancer. 
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- No  fauts 

- 1  Byzartine  node 

. 1  Random  node 


Fig.  7.  Dynamic  Balancer  Fault-Tolerant  Scheme  (energy  vs  time  ) 


4  Energy  Spent  in  Control 

In  this  section,  we  compare  the  energy  spent  to  asymptotically  stabilize  the  beam 
in  the  four  schemes  discussed  above.  In  the  static  scheme,  each  node  always  ap¬ 
plies  a  constant  force,  irrespective  of  the  current  sensed  force.  Hence  it  results 
in  maximum  energy  spent  to  asymptotically  stabilize  the  beam.  The  three  ver¬ 
sions  of  the  linear  scheme  result  in  lesser  energy  spent  in  control.  The  graphs  in 
Fig.  8  show  the  energy  spent  in  control  of  the  beam,  corresponding  to  the  ex¬ 
periments  described  in  Section  3.  In  these  experiments,  the  control  level  for  the 
on-off  scheme  was  set  to  5.  For  each  of  the  linear  control  schemes,  the  actuator 
forces  were  bounded  by  a  maximum  value  of  5,  thus  making  the  comparisons 
meaningful.  Also  note  that  the  random  and  byzantine  disturbances  are  contin¬ 
uous  and  continue  to  persist  even  when  the  energy  in  the  beam  have  brought 
down  to  a  very  small  value.  The  energy  spent  in  control  shown  in  the  graphs,  is 
the  energy  required  to  bring  down  the  energy  in  the  beam  to  1%  of  its  original 
energy. 

5  Conclusions 

In  this  paper,  based  on  Lyapunov  functions,  we  formulated  two  types  of  fault- 
tolerant  control  for  linear  control  systems:  masking  and  self-stabilizing.  Masking 
control  systems  retain  their  asymptotic  stability  in  the  presence  of  faults.  We 
devised  a  static  fault-tolerant  scheme  that  yielded  masking  control,  and  demon¬ 
strated  the  scheme  in  the  context  of  a  beam  vibration  control  system.  In  this 
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■  Static 

■  Dynamic 

□  Adaptive  Dynamic 

□  Dynamic  8danc<r 


Fig.  8.  Energy  Spent  to  Asymptotically  Stabilize  the  Beam 


scheme,  the  control  was  made  on-off  at  the  maximum  level,  which  meant  that 
more  energy  could  be  spent  than  what  was  required  if  a  byzantine  node  did  not 
exert  the  worst  possible  forces.  This  constraint  was  relaxed  in  three  successively 
more  efficient  schemes  that  yielded  self-stabilizing  control,  which  guaranteed 
eventual  asymptotic  stability  of  the  control  system.  All  schemes  considered  in 
the  paper  were  distributed.  Further,  we  did  not  assume  the  services  of  an  under¬ 
lying  layer  to  detect  the  faults.  In  fact,  the  faults  at  the  component  level  were 
abstracted  to  the  control  level  and  they  were  tolerated  without  any  knowledge 
about  their  cause  or  nature. 

An  interesting  direction  for  future  research  is  to  design  systems  that  tolerate 
faults  introduced  by  the  middleware  services  due  to  unreliable  communication 
channels,  e.g.  delays  and  omissions  of  messages.  Regarding  further  extensions  to 
our  work,  we  would  like  to  focus  on  fault-tolerant  control  theory  for  non  linear 
and  hybrid  systems.  We  would  also  like  to  study  the  effect  of  continuous  external 
perturbations  on  fault-tolerant  control  systems. 
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